{ "id": "847456d5-1dff-4e45-8bb6-7f59d6b98c0a", "created_at": "2026-04-06T00:17:55.957599Z", "updated_at": "2026-04-10T03:34:00.274232Z", "deleted_at": null, "sha1_hash": "17a419248a785b5ba451d3ebcdb49e8326140c0b", "title": "TA453: Activity, Techniques, \u0026 Targeting Explained | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1951817, "plain_text": "TA453: Activity, Techniques, \u0026 Targeting Explained | Proofpoint\r\nUS\r\nBy Joshua Miller, Crista Giering and the Proofpoint Threat Research Team\r\nPublished: 2022-12-08 · Archived: 2026-04-05 13:13:10 UTC\r\nKey Takeaways \r\nFrom at least late 2020 and through 2022, TA453 has engaged in campaigns that deviate from the group's\r\nexpected phishing techniques and target victimology. \r\nIn these campaigns, TA453 has employed the use of compromised accounts, malware, and confrontational\r\nlures to go after targets with a range of backgrounds from medical researchers to realtors to travel\r\nagencies.  \r\nProofpoint researchers assess with moderate confidence that this activity reflects a flexible mandate to the\r\nIslamic Revolutionary Guard Corps' (IRGC) intelligence requirements. \r\nFurther, a sub-cluster of TA453 activity demonstrates a possible directive to support covert, and even\r\nkinetic, operations of the IRGC. \r\nOverview\r\nSince at least late 2020, Proofpoint researchers have observed aberrations in TA453 (which overlaps with groups\r\npublicly known as Charming Kitten, PHOSPHORUS, and APT42) phishing activity in which the threat actor has\r\nstepped away from its typical phishing techniques and target victimology. A hallmark of TA453’s email campaigns\r\nis that they almost always target academics, researchers, diplomats, dissidents, journalists, human rights workers,\r\nand use web beacons in the message bodies before eventually attempting to harvest a target’s credentials. Such\r\ncampaigns may kick off with weeks of benign conversations from actor-created accounts before attempted\r\nexploitation.\r\nBy comparison, TA453’s outlier campaigns have targeted medical researchers, an aerospace engineer, a realtor,\r\nand travel agencies, among others. They have leveraged new-to-TA453 phishing techniques including\r\ncompromised accounts, malware, and confrontational lures. Proofpoint judges with moderate confidence that this\r\natypical activity reflects TA453’s dynamic support to ad hoc Islamic Revolutionary Guard Corps’ (IRGC)\r\nintelligence requirements. This activity also provides researchers with a better understanding of the IRGC’s\r\nmandate and insight into TA453’s potential support of IRGC surveillance and attempted kinetic operations.\r\nExpected TA453 Activity\r\nProofpoint tracks approximately six subgroups of TA453—more details of which are shared in the Attribution\r\nsection of this report—differentiated primarily by victimology, techniques, and infrastructure. Regardless of the\r\nsubgroup, TA453 typically targets academics, policymakers, diplomats, journalists, human rights workers,\r\ndissidents, and researchers with expertise in the Middle East. Email accounts registered by TA453 generally match\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations\r\nPage 1 of 7\n\nthematically with their targets and the threat actor favors including web beacons in its email campaigns. TA453\r\nheavily relies on benign conversations to initiate contact with targets—of which Proofpoint has observed over 60\r\nsuch campaigns in 2022. TA453 almost always delivers credential harvesting links with the intent of gaining\r\naccess to a target’s inbox for exfiltration of email content. Some subgroups will converse for weeks before\r\ndelivering the malicious links, while others will immediately send the malicious link in the first email.\r\nTA453 Branches Out with its Techniques and Targeting\r\nBeginning in late 2020, Proofpoint researchers started to observe campaigns that deviated from TA453’s expected\r\nphishing activity. These deviations have received little, if any, public attention, causing Proofpoint to decide to\r\nshare our insights in this report. The campaigns notably leveraged techniques not previously associated with\r\nTA453’s email activity, such as:\r\nCompromised accounts\r\nAt times, a subcluster of TA453 used compromised accounts to target individuals instead of using\r\nactor-controlled accounts.\r\nThis cluster of activity operated actor-controlled URL shorteners like bnt2[.]live and nco2[.]live that\r\nredirected to typical TA453 credential harvesting pages. \r\nFor example, in 2021, approximately five days after a US government official publicly commented\r\non the Joint Comprehensive Plan of Action (JCPOA) negotiations, the official’s press secretary was\r\ntargeted via a compromised email account from a local reporter. \r\nMalware \r\nIn the fall of 2021, GhostEcho (CharmPower), a PowerShell backdoor, was sent to a variety of\r\ndiplomatic missions across Tehran. \r\nThroughout the Fall of 2021, GhostEcho was under development as demonstrated by changes in\r\nobfuscation and modifications to the kill chain, likely to evade detection. \r\nGhostEcho is a lightweight first stage used to deliver follow-on espionage focused capabilities as\r\ndocumented by CheckPoint Research. \r\nBased on similarities in delivery techniques, Proofpoint suspects that GhostEcho was also delivered\r\nto women’s rights activists in late 2021 but the payload was not available at the time of our analysis.\r\nConfrontational lures\r\nTA453 has leveraged one persona in particular, Samantha Wolf, for confrontational social\r\nengineering lures intended to use a target’s sense of uncertainty and fear to get them to respond to\r\nthe threat actor’s emails.\r\nSamantha, who we discuss in the next section, has sent these lures, including car accident and\r\ngeneral complaint themes, to US and European politicians and government entities, a Middle\r\nEastern energy company, and a US-based academic. \r\nThe following is a comprehensive chart of Proofpoint-observed outlier activity followed by deeper dives into\r\ncampaigns that exemplify TA453’s irregular activity.\r\nHighlights of Proofpoint-Observed Abnormal TA453 Targeting Between 2020 and 2022\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations\r\nPage 2 of 7\n\nTime of Activity Activity Description\r\nDecember 2020:\r\nMedical\r\nTargeting\r\nIn TA453’s BadBlood campaign they targeted senior medical professionals who\r\nspecialize in genetic, neurology, and oncology research in the United States and Israel\r\nwith credential phishing.\r\n2021: Aerospace\r\nCompany\r\nAccording to some open-source reporting, the Islamic Revolutionary Guard Corps\r\n(IRGC) has increasingly inserted themselves into Iran’s fledgling space program, so it is\r\nnot surprising that TA453 targeted the email accounts of an engineer involved in space\r\nresearch in 2021.\r\nJuly \u0026 August\r\n2021: Women’s\r\nand Gender\r\nStudies \r\nProofpoint identified a cluster of spear phishing targeting scholars with backgrounds in\r\nwomen’s and gender studies at a variety of North American universities. These\r\ncampaigns started with generic password change lures, but the targets eventually\r\nreceived separate benign conversation emails that TA453 is known for.\r\nProofpoint also observed an email address associated with this cluster of activity\r\ntargeting an international sporting organization.\r\nAugust 2021:\r\nIranian Travel\r\nAgencies\r\nProofpoint identified multiple Iranian travel agencies operating out of Tehran that were\r\ntargeted with TA453 credential harvesting links. The targeting of travel agencies is\r\nconsistent with intelligence agency collection requirements of both the movement of\r\nIranians outside of Iran along with domestic travel.\r\nJune 2022:\r\nMedical\r\nResearch\r\nAs noted in our recent blog on Multi-Persona Impersonation, TA453 occasionally targets\r\nmedical researchers. Most recently they focused their attentions on researchers working\r\non organ replacement.\r\nFebruary 2022:\r\nRealtor in\r\nFlorida\r\n \r\nProofpoint observed a Gmail address targeting a Florida-based realtor with a benign\r\nconversation and TA453 affiliated web beacon. Open-source research of the realtor\r\nidentified they were involved in the sale of multiple homes located near the headquarters\r\nof US Central Command (CENTCOM) during the phishing campaign. CENTCOM is the\r\nUS Combatant Command responsible for military operations in the Middle East.\r\nThe tracking pixel was hosted on profilepic[.]site, which Proofpoint attributes to TA453\r\npartially based on registration similarities to other known TA453 domains.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations\r\nPage 3 of 7\n\nSamantha? I don’t even know a Samantha…Do I?\r\nProofpoint researchers first identified the Samantha Wolf persona when the associated email,\r\nsamantha.wolf0077[@]gmail.com, was included in the lure content of a malicious document (SHA256:\r\na8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78). This document, which was\r\nuploaded to VirusTotal, used remote template injection to download multiple .dotm files from office-updates[.]info and is attributed to TA453. The attack chain for this cluster of activity typically resulted in a\r\nPowerShell backdoor Proofpoint calls GhostEcho (publicly tracked as CharmPower). As detailed by PwC, the\r\ndownloaded template establishes persistence by replacing the user’s previous default Microsoft Word template.\r\nFigure 1. Screenshot of the lure document containing the Samantha Wolf email persona.\r\nIn mid-March 2022 and early April 2022, Proofpoint researchers first observed TA453 using Samantha as the\r\nactor-controlled sender to target a Middle Eastern energy company with benign conversation emails. In late April\r\n2022, Samantha pivoted to target a US-based academic Proofpoint previously observed targeted by multiple\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations\r\nPage 4 of 7\n\nIranian intrusion sets, including traditional approaches by TA453. This lure broke the typical TA453 mold and\r\nused confrontational tactics to increase the urgency behind the lure.\r\nFigure 2. The Samantha persona reaches out to a US-based academic claiming a car accident.\r\nIn late 2022, Samantha encountered even more people with whom she has taken umbrage, sending additional\r\ncomplaint-themed benign conversation emails to senior US and European government officials. Samantha’s\r\nconfrontational lures demonstrate an interesting attempt to generate engagement with targets not seen from other\r\nTA453 accounts.\r\nNot So Charming: A Look at TA453’s Aggressive Side\r\nWhile most of TA453’s operations have appeared to focus on collecting intelligence, a subset of late 2021 and\r\nmid-2022 activity showed a more aggressive side to TA453 that indicates possible support to the IRGC’s kinetic\r\noperations. \r\nIn May 2022, Israeli media reported Israeli intelligence agency Shin Bet identified Iranian intelligence services’\r\nphishing activity designed to lure targets in order to kidnap them. Based on the indicators provided, Proofpoint\r\ncorrelated this activity with TA453 campaigns from December 2021 in which campaigns attributed to TA453 used\r\na spoofed email address of a reputable academic from the domain (css-ethz[.]ch) to give a researcher an\r\n“Invitation to Zurich Strategic Dialogue Jan-2022.\" \r\nIn early May 2022, Proofpoint identified a disturbing TA453 attributed campaign targeting a single individual. In\r\nthis campaign, TA453 utilized multiple compromised email accounts, including those of a high-ranking military\r\nofficial, to deliver a link to the target—a former member of the Israeli military. The use of multiple compromised\r\nemail accounts to target a single target is unusual for TA453. While each of the URLs observed were unique to\r\neach compromised email account, each linked to the domain gettogether[.]quest and pointed to the same\r\nthreatening message in Hebrew. The message displayed on the web page (Figure 3 below) was an image with the\r\ntarget’s first name in the file name.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations\r\nPage 5 of 7\n\nFigure 3. Redacted screenshot of TA453’s aggressive messaging in Hebrew.\r\nMachine translation of the Hebrew text in the image:\r\nI'm sure you remember what I told you\r\n \"Every email you get from your friends may be me and not someone who it claims\"\r\n We follow you like your shadow, in Tel Aviv, in [redacted], in Dubai, in Bahrain.\r\n Take care of yourself\r\n ???\r\nAfter Proofpoint blocked the initial email attempts, TA453 included a commercial web beacon from mailtrack[.]io\r\nlikely to verify the delivery of its threatening emails. \r\nIt is this method of using multiple compromised accounts belonging to established connections of the target to\r\nsend a message of intimidation rather than a phishing link that indicates a possible collaboration between TA453\r\nand hostile Iranian state-aligned operations. This assessment is further supported by the content of the email itself\r\nand overlapping infrastructure. The gettogether[.]quest domain has resolved to 66.29.153[.]90 since mid-April\r\n2022. Co-located on that infrastructure since December 2021 is css-ethz[.]ch, the domain similar to the one\r\nspoofing The Center for Security Studies (CSS) at ETH Zurich in support of kidnapping operations discussed\r\npreviously.\r\nAdditionally, Proofpoint in mid-2022 identified that a close affiliate of a former US official targeted in the IRGC\r\nmurder-for-hire plot was targeted and successfully compromised by the Korg malware, a family exclusive to\r\nTA453. TA453 previously targeted this same individual with phishing links in April 2021 and July 2021. This\r\nfurther corroborates Proofpoint’s assessment that a subcluster of TA453 supports kinetic IRGC operations.\r\nAttribution\r\nProofpoint continues to assess that TA453 generally operates in support of the IRGC, specifically the IRGC\r\nIntelligence Organization (IRGC-IO). This assessment is based on a variety of evidence, including overlaps in unit\r\nnumbering between Charming Kitten reports and IRGC units as identified by PWC, the US Department of Justice\r\nindictment of Monica Witt, and IRGC-affiliated actors, and analysis of TA453 targeting compared to\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations\r\nPage 6 of 7\n\nreported IRGC-IO priorities. Proofpoint judges with moderate confidence that the more aggressive activity could\r\nrepresent collaboration with another branch of the Iranian state, including the IRGC Quds Force.\r\nClustering cyber espionage activity is often difficult when looking from different telemetry. Proofpoint currently\r\nviews TA453 as overlapping with PHOSPHORUS and roughly equivalent to APT42 and Yellow Garuda, all of\r\nwhich can be considered Charming Kitten. \r\nFigure 4. Charming Kitten activity clusters.\r\nConclusion\r\nTA453, like its fellow advanced persistent threat actors engaged in espionage, is in a constant state of flux\r\nregarding its tools, tactics, techniques, and targeting. Adjusting its approaches likely in response to ever changing\r\nand expanding priorities, the Proofpoint-observed outlier campaigns are likely to continue and reflect IRGC\r\nintelligence collection requirements, including possible support for hostile, and even kinetic, operations.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations\r\nPage 7 of 7\n\n https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations \nTime of Activity Activity Description \nDecember 2020: In TA453’s BadBlood campaign they targeted senior medical professionals who\nMedical specialize in genetic, neurology, and oncology research in the United States and Israel\nTargeting with credential phishing. \n According to some open-source reporting, the Islamic Revolutionary Guard Corps\n2021: Aerospace (IRGC) has increasingly inserted themselves into Iran’s fledgling space program, so it is\nCompany not surprising that TA453 targeted the email accounts of an engineer involved in space\n research in 2021. \n Proofpoint identified a cluster of spear phishing targeting scholars with backgrounds in\nJuly \u0026 August women’s and gender studies at a variety of North American universities. These\n2021: Women’s campaigns started with generic password change lures, but the targets eventually\nand Gender received separate benign conversation emails that TA453 is known for.\nStudies Proofpoint also observed an email address associated with this cluster of activity\n targeting an international sporting organization. \n Proofpoint identified multiple Iranian travel agencies operating out of Tehran that were\nAugust 2021: \n targeted with TA453 credential harvesting links. The targeting of travel agencies is\nIranian Travel \n consistent with intelligence agency collection requirements of both the movement of\nAgencies \n Iranians outside of Iran along with domestic travel. \nJune 2022: As noted in our recent blog on Multi-Persona Impersonation, TA453 occasionally targets\nMedical medical researchers. Most recently they focused their attentions on researchers working\nResearch on organ replacement. \n Proofpoint observed a Gmail address targeting a Florida-based realtor with a benign\n conversation and TA453 affiliated web beacon. Open-source research of the realtor\nFebruary 2022: identified they were involved in the sale of multiple homes located near the headquarters\nRealtor in of US Central Command (CENTCOM) during the phishing campaign. CENTCOM is the\nFlorida US Combatant Command responsible for military operations in the Middle East.\n The tracking pixel was hosted on profilepic[.]site, which Proofpoint attributes to TA453\n partially based on registration similarities to other known TA453 domains. \n Page 3 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations" ], "report_names": [ "ta453-refuses-be-bound-expectations" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434675, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/17a419248a785b5ba451d3ebcdb49e8326140c0b.pdf", "text": "https://archive.orkl.eu/17a419248a785b5ba451d3ebcdb49e8326140c0b.txt", "img": "https://archive.orkl.eu/17a419248a785b5ba451d3ebcdb49e8326140c0b.jpg" } }